Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ab458511f8...87.exe

windows7-x64

10

ab458511f8...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 09:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe

  • Size

    204KB

  • MD5

    123ca854a66c8fc2d1a416a91e4aa620

  • SHA1

    2a349e8e99fc86b3ac4fec97aa65c8f425f879da

  • SHA256

    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87

  • SHA512

    ca0234bd5381c630d6257e37d52afff43401d8dbe265fffe0a37de7a9cd01dd4cd8bc2f75ce0fc48105e78e4be92774b79ca740e3c0e6c99ce541c90cae8f499

  • SSDEEP

    1536:IU+OoSHo1vzxHwxWVJxNy3tQ9CW5EZWHakMwP9W6uXNh9h1AWa11GBPIdRONd+wd:BHo1/V50tQ9nLHbB9WTk9+JgqmlZ2N

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    "C:\Users\Admin\AppData\Local\Temp\ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\xaaasa.exe
      "C:\Users\Admin\xaaasa.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2916

Network

  • flag-us
    DNS
    ns1.spansearcher.net
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spansearcher.net
    IN A
    Response
  • flag-us
    DNS
    ns1.spinsearcher.org
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
    Response
  • flag-us
    DNS
    ns1.spinsearcher.org
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.spinsearcher.org
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    35.205.61.67
  • 209.197.3.8:80
    260 B
     5
  • 209.197.3.8:80
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 20.189.173.12:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 8.8.8.8:53
    ns1.spansearcher.net
    dns
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    66 B
     139 B
     1
    1

    DNS Request

    ns1.spansearcher.net

  • 8.8.8.8:53
    ns1.spinsearcher.org
    dns
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    132 B
     296 B
     2
    2

    DNS Request

    ns1.spinsearcher.org

    DNS Request

    ns1.spinsearcher.org

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    ab458511f84fa6e90196aa253b46a927a49512d57f6ab35535a612e609e80c87.exe
    64 B
     80 B
     1
    1

    DNS Request

    ns1.player1352.net

    DNS Response

    35.205.61.67

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xaaasa.exe
    Filesize

    204KB

    MD5

    994d21b419b879a6bb20f072a665ec07

    SHA1

    a60e9a82dff9d84d49b7102c0c41788ac9501b94

    SHA256

    338df1163e61a4d6df21e023c1e10cc27e44ddac9cbd0d45c7aff737957a671c

    SHA512

    cc7cadbf64dfe383ff941de923f07e92e51e3bb3ca0c7420223be920ae0a4601a2e1389668329329dd6ba761586f24f01679542e1baca37a67cc3e2d008e7637

    Download Submit

  • C:\Users\Admin\xaaasa.exe
    Filesize

    204KB

    MD5

    994d21b419b879a6bb20f072a665ec07

    SHA1

    a60e9a82dff9d84d49b7102c0c41788ac9501b94

    SHA256

    338df1163e61a4d6df21e023c1e10cc27e44ddac9cbd0d45c7aff737957a671c

    SHA512

    cc7cadbf64dfe383ff941de923f07e92e51e3bb3ca0c7420223be920ae0a4601a2e1389668329329dd6ba761586f24f01679542e1baca37a67cc3e2d008e7637

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.